From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 28 Feb 2020 10:10:12 +0000 (+0100)
Subject: For incoming ssl context with verifypem != NULL, we can set
X-Git-Tag: 1.11.0rc1~120^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e13dfc743d6864cff6ae909cbc1026b1b666c888;p=thirdparty%2Funbound.git

For incoming ssl context with verifypem != NULL, we can set
SSL_VERIFY_FAIL_IF_NO_PEER_CERT that can reject client
connections without peer cert during the handshake, which is nicer
than just a connection drop to the client (when we then check
for no peer certificate afterwards).
---

diff --git a/util/net_help.c b/util/net_help.c
index 2a392781d..8f75da07f 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -996,7 +996,7 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		}
 		SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
 			verifypem));
-		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
 	}
 	return ctx;
 #else